If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc

the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.

any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look.

sorry if i'm making little or no sense, had a few to drink and only planed to reply to an e-mail but spotted a new reply and figured heeey why not.

Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc

the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.

you don't need to double click the .lnk, simply viewing it executes the code crafted in it.

Originally Posted by HYBR|D

any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look.

I think the stuxnet/Win32, the one that targeted the power plants not the less elegant version that is flying around, uploads a system driver called jmidebs.sys and some .exes. The other clunkier strain probably has some payload of .exes. You can probably find the binaries floating around some security researcher's blog >.<

Its still dog doo-doo when it comes to permissions though. Your allowed to read, execute, and write (but not modify) almost anything you want as nobody. Under a guest account in windows your not given write access to anything at all.

OK, did you mean this is as in "Over the network" log ins? Or physically sitting? There's a bit of a difference there, because The "Guest Account" on Windows may not allow that, but what I was saying about clicking cancel and it working, you don't really need an account at all. And over a Network, who'd allow log ins for the Nobody account? The reason user Nobody can do anything is that it's how you start all the forks and things for Apache. You need to allow that account to write to SOME things, otherwise it wouldn't work right.

Also, I think you're missing the fun that can be had by doing this:

chsh nobody /bin/rm

"chsh" doesn't actually require that the Shell you change for a user, be an actual Shell. That's how those admins write those little interfaces where everything when a user logs in, shows up in one of those custom menus. They couldn't do that if it HAD to be an actual shell. So technically, you could change the nobody account to have a command for a log in shell, and on top of that.... Between Linux and BSD, I know user nobody doesn't get to have actual log ins on MY machines. And in BSD I think it's by default user nobody can't log in.

This stuff is just as easy to change as "Turn of Automatic Log in" would be in Windows so it's not like it's any more of an issue. Besides, I've never seen someone actually use the nobody account to try much of anything since it doesn't have access to much. And of course you COULD put that thing in a Sandbox or a Jail.

Update 1: This tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk. Thanks to ISC reader Gerrit for the additional information.

Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet Malware.

\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"